46 Cons "[| RA : responses evs; Key KAB ~: used evs |] |
46 Cons "[| RA : responses evs; Key KAB ~: used evs |] |
47 ==> {|Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|}, |
47 ==> {|Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|}, |
48 RA|} : responses evs" |
48 RA|} : responses evs" |
49 |
49 |
50 |
50 |
51 consts recur :: agent set => event list set |
51 consts recur :: event list set |
52 inductive "recur lost" |
52 inductive "recur" |
53 intrs |
53 intrs |
54 (*Initial trace is empty*) |
54 (*Initial trace is empty*) |
55 Nil "[]: recur lost" |
55 Nil "[]: recur" |
56 |
56 |
57 (*The spy MAY say anything he CAN say. Common to |
57 (*The spy MAY say anything he CAN say. Common to |
58 all similar protocols.*) |
58 all similar protocols.*) |
59 Fake "[| evs: recur lost; B ~= Spy; |
59 Fake "[| evs: recur; B ~= Spy; |
60 X: synth (analz (sees lost Spy evs)) |] |
60 X: synth (analz (sees Spy evs)) |] |
61 ==> Says Spy B X # evs : recur lost" |
61 ==> Says Spy B X # evs : recur" |
62 |
62 |
63 (*Alice initiates a protocol run. |
63 (*Alice initiates a protocol run. |
64 "Agent Server" is just a placeholder, to terminate the nesting.*) |
64 "Agent Server" is just a placeholder, to terminate the nesting.*) |
65 RA1 "[| evs: recur lost; A ~= B; A ~= Server; Nonce NA ~: used evs |] |
65 RA1 "[| evs: recur; A ~= B; A ~= Server; Nonce NA ~: used evs |] |
66 ==> Says A B |
66 ==> Says A B |
67 (Hash[Key(shrK A)] |
67 (Hash[Key(shrK A)] |
68 {|Agent A, Agent B, Nonce NA, Agent Server|}) |
68 {|Agent A, Agent B, Nonce NA, Agent Server|}) |
69 # evs : recur lost" |
69 # evs : recur" |
70 |
70 |
71 (*Bob's response to Alice's message. C might be the Server. |
71 (*Bob's response to Alice's message. C might be the Server. |
72 XA should be the Hash of the remaining components with KA, but |
72 XA should be the Hash of the remaining components with KA, but |
73 Bob cannot check that. |
73 Bob cannot check that. |
74 P is the previous recur message from Alice's caller. |
74 P is the previous recur message from Alice's caller. |
75 NOTE: existing proofs don't need PA and are complicated by its |
75 NOTE: existing proofs don't need PA and are complicated by its |
76 presence! See parts_Fake_tac.*) |
76 presence! See parts_Fake_tac.*) |
77 RA2 "[| evs: recur lost; B ~= C; B ~= Server; Nonce NB ~: used evs; |
77 RA2 "[| evs: recur; B ~= C; B ~= Server; Nonce NB ~: used evs; |
78 Says A' B PA : set evs; |
78 Says A' B PA : set evs; |
79 PA = {|XA, Agent A, Agent B, Nonce NA, P|} |] |
79 PA = {|XA, Agent A, Agent B, Nonce NA, P|} |] |
80 ==> Says B C (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|}) |
80 ==> Says B C (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|}) |
81 # evs : recur lost" |
81 # evs : recur" |
82 |
82 |
83 (*The Server receives Bob's message and prepares a response.*) |
83 (*The Server receives Bob's message and prepares a response.*) |
84 RA3 "[| evs: recur lost; B ~= Server; |
84 RA3 "[| evs: recur; B ~= Server; |
85 Says B' Server PB : set evs; |
85 Says B' Server PB : set evs; |
86 (PB,RB,K) : respond evs |] |
86 (PB,RB,K) : respond evs |] |
87 ==> Says Server B RB # evs : recur lost" |
87 ==> Says Server B RB # evs : recur" |
88 |
88 |
89 (*Bob receives the returned message and compares the Nonces with |
89 (*Bob receives the returned message and compares the Nonces with |
90 those in the message he previously sent the Server.*) |
90 those in the message he previously sent the Server.*) |
91 RA4 "[| evs: recur lost; A ~= B; |
91 RA4 "[| evs: recur; A ~= B; |
92 Says B C {|XH, Agent B, Agent C, Nonce NB, |
92 Says B C {|XH, Agent B, Agent C, Nonce NB, |
93 XA, Agent A, Agent B, Nonce NA, P|} : set evs; |
93 XA, Agent A, Agent B, Nonce NA, P|} : set evs; |
94 Says C' B {|Crypt (shrK B) {|Key KBC, Agent C, Nonce NB|}, |
94 Says C' B {|Crypt (shrK B) {|Key KBC, Agent C, Nonce NB|}, |
95 Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|}, |
95 Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|}, |
96 RA|} : set evs |] |
96 RA|} : set evs |] |
97 ==> Says B A RA # evs : recur lost" |
97 ==> Says B A RA # evs : recur" |
98 |
98 |
99 (**No "oops" message can easily be expressed. Each session key is |
99 (**No "oops" message can easily be expressed. Each session key is |
100 associated--in two separate messages--with two nonces. |
100 associated--in two separate messages--with two nonces. |
101 ***) |
101 ***) |
102 end |
102 end |